Fix a heap overflow with pack "W"

2017-01-20 09:49:49 +01:00 · 2017-01-20 09:49:49 +01:00 · 96616c59c9
commit 96616c59c9
parent c33285d987
3 changed files with 96 additions and 0 deletions
--- a/perl-5.25.8-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch
+++ b/perl-5.25.8-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch
@ -0,0 +1,58 @@
+From bf4a926a29374161655548b149d1cb37300bcc05 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 7 Sep 2016 16:51:39 +1000
+Subject: [PATCH] (perl #129149) avoid a heap buffer overflow with pack "W"...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pp_pack.c   |  2 +-
+ t/op/pack.t | 13 ++++++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/pp_pack.c b/pp_pack.c
+index ee4c69e..737e019 100644
+--- a/pp_pack.c
+++ b/pp_pack.c
+@@ -2587,7 +2587,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
+ 		if (in_bytes) auv = auv % 0x100;
+ 		if (utf8) {
+ 		  W_utf8:
+-		    if (cur > end) {
+		    if (cur >= end) {
+ 			*cur = '\0';
+ 			SvCUR_set(cat, cur - start);
+ 
+diff --git a/t/op/pack.t b/t/op/pack.t
+index 3fc12e4..47d1216 100644
+--- a/t/op/pack.t
+++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+   "Signed/unsigned pack modifiers not available on this perl";
+ 
+-plan tests => 14712;
+plan tests => 14713;
+ 
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2047,3 +2047,14 @@ ok(1, "argument underflow did not crash");
+     is(pack("H40", $up_nul), $twenty_nuls,
+        "check pack H zero fills (utf8 source)");
+ }
+
+{
+    # [perl #129149] the code below would write one past the end of the output
+    # buffer, only detected by ASAN, not by valgrind
+    $Config{ivsize} >= 8
+      or skip "[perl #129149] need 64-bit for this test", 1;
+    fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow");
+print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}"
+ ? "ok\n" : "not ok\n";
+EOS
+}
+-- 
+2.7.4
+
--- a/perl-5.25.8-perl-129149-fix-the-test-so-skip-has-a-SKIP-to-work-.patch
+++ b/perl-5.25.8-perl-129149-fix-the-test-so-skip-has-a-SKIP-to-work-.patch
@ -0,0 +1,30 @@
+From 30be69c851a7fa7e29d85c9b6e070273df82f3e7 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 17 Jan 2017 15:36:31 +1100
+Subject: [PATCH] (perl #129149) fix the test so skip has a SKIP: to work with
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thanks to bulk88 for pointing this out.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/op/pack.t | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/t/op/pack.t b/t/op/pack.t
+index 47d1216..919e4c5 100644
+--- a/t/op/pack.t
+++ b/t/op/pack.t
+@@ -2048,6 +2048,7 @@ ok(1, "argument underflow did not crash");
+        "check pack H zero fills (utf8 source)");
+ }
+ 
+SKIP:
+ {
+     # [perl #129149] the code below would write one past the end of the output
+     # buffer, only detected by ASAN, not by valgrind
+-- 
+2.7.4
+
--- a/perl.spec
+++ b/perl.spec
@ -240,6 +240,10 @@ Patch65:        perl-5.25.7-perl-130307-Correctly-unwind-on-cache-hit.patch
 # in upstream after 5.25.8
 Patch66:        perl-5.24.1-perl-130262-split-scalar-context-stack-overflow-fix.patch

+# Fix a heap overflow with pack "W", RT129149, in upstream after 5.25.8
+Patch67:        perl-5.25.8-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch
+Patch68:        perl-5.25.8-perl-129149-fix-the-test-so-skip-has-a-SKIP-to-work-.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -2930,6 +2934,8 @@ Perl extension for Version Objects
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
+%patch67 -p1
+%patch68 -p1
 %patch200 -p1
 %patch201 -p1

@ -2985,6 +2991,7 @@ perl -x patchlevel.h \
    'Fedora Patch64: Fix a memory leak in IO::Poll (RT#129788)' \
    'Fedora Patch65: Fix regular expression matching (RT#130307)' \
    'Fedora Patch66: Fix a buffer overflow in split in scalar context (RT#130262)' \
+    'Fedora Patch67: Fix a heap overflow with pack "W" (RT129149)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5263,6 +5270,7 @@ popd
 %changelog
 * Fri Jan 20 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-386
 - Fix a buffer overflow in split in scalar context (RT#130262)
+- Fix a heap overflow with pack "W" (RT129149)

 * Mon Jan 16 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.24.1-385
 - 5.24.1 bump (see <http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod>